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0 Key distribution method. 



0 The invention relates to a method of distributing 
a key for enciphering un unenciphered or plaintext 
message and for deciphering the enciphered mes- 
sage. 

The method comprises the following steps: 
generating a first random number in a first system 
(101); generating first key distribution infonmation In 
the first system (101) by applying a predetermined 
first transfonnation to the first random number on the 
basis of first secret information known only by the 
first system (101); transmitting the first key distrlbu* 
tion Information to a second system (102) via a 
communication channel (103); receiving the first key 
distribution Information in the second system (102); 
generating a second random number in the second 
system (102); generating second key distribution In- 
formation by applying the predetermined first trans- 

afonnation to tiie second random number on the 
basis of second secret Information known only by 
l^tiie second system (102); transmitting the second 
50 key distribution Information to the first system (101) 
lAvia tfie channel (103); receiving the second key 
1^ distribution information in the first system (101): and 
tfi generating an enciphering key in the first system 
N(101) by applying a predetermined second trans- 
Q formation to the second key distribution information 
on the basis of tiie first random number and iden- 
gjtification information of tiie second system (102) 
which is not secret 
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KEY DISTRIBUTION METHOD 



BACKGROUND OF THE INVENTION 

The invention relates to a method of distribut- 
ing a key for enciphering an unenciphered or plain- 
text message and for deciphering the enciphered 
message. 

A public Icey distribution method used in a 
public key cryptosystem as a well-known key dis- 
tribution method is disclosed in a paper entitled 
•New Directions in Cryptography" by W. Diffie and 
M.E Hellman, published in the IEEE Transactions 
on Information Theory. Vol. IT-22, No. 6. pp. 644 to 
654, November issue. 1976. The key distribution 
method diseased in the paper memorizes public 
information for each of conversers. In the system, 
before a converser A sends an enciphered mes- 
sage to a converser B, the converser A prepares 
an enciphering key (which represents a number 
obtained by calculating Yb^a (mod g )) gen- 
erated from public information Yb of the converser 
B and secret information Xa which is kept secret 
by the converser A. The number q is a large prime 
number of about 256 bits in binary representation, 
which is publicly known, a (mod b) means a 
remainder of division of the numt)er a by the num- 
ber b. The converser B also prepares" ttie key wk In 
accordance to Ya^b (mod g) in a similar man- 
ner. Ya and Yb are selected so as to be equal to 
a^A (mod g) and a^fi» (mod g), respec- 
tively. As a result, Yb (mod g ) becomes 
equal to Ya^6 (mod g). ft is known that even if 
Ya, a and g are known, It is infeasible for anybody 
except the converser A to obtain Xa which satisfies 
Ya = a^A (mod g). 

The prior art key distribution system of the 
type described, however, has disadvantages in ttiat 
since tiie system needs a large amount of public 
information corresponding to respective convers- 
ers, the amount of the public information increases 
as the number of conversers iricreases. Further, 
strict control of such information becomes neces- 
sary to prevent the information from being tam- 
pered. 



SUMMARY OF THE INVENTION 

An object of the invention is, therefore, to pro- 
vide a key distribution metiiod free from the at)ove- 
mentioned disadvantages of the prior art system. 

According to an aspect of the invention, there 
is provided a metfiod which comprises the follow- 
ing steps: generating a first random number in a 
first system: generating first key distribution in- 



formation in tiie first system by applying a pre- 
determined first transformation to tiie first random 
number on the basis of first secret information 
known only by tiie first system; transmitting the 
5 first key distribution information to a second sys- 
tem via a communication channel; receiving the 
first key distribution information In the secofKl sys- 
tem; generating a second random number in tiie 
second systern; generating second key distribution 
10 information by applying the predetermined first 
transformation to the second random number on 
the basis of second secret information known only 
by the second system; transmitting the second key 
distribution information to the first system via the 
75 channel; receiving the second key distribution In- 
formation in the first system; and generating an 
enciphering key in the first system by appl^ng a 
predetenmined second transformation to the sec- 
ond key distribution tnfbrmation on the basis of the 
20 first random number and identification information 
of the second system which Is. not secret 

According to anotiier aspect of tiie invention, 
there is provided a method which comprises the 
following steps: generating a first random number 
25 in the first system; generating first key distribution 
infonnation by applying a predetermined first trans- 
formation to the first random number on the basis 
of public information in the first system and gen- 
erating first identification information by applying a 
30 predetermined second transformation to the first 
random number on the basis of first secret informa- 
tion known only by the first systemr transmitting 
tiie first key distribution infomnation and the first 
identification information to a second system via a 
35 communication channel; receiving the first key dis- 
tribution information and tiie first identification in- 
formation In the second system: examining whetiier 
or not tiie result obtained by applying a predeter- 
mined ttiird transfonnation to the first key distribu- 
40 tion infomiation on ttie basis of tiie first identifica- 
tion Information satisfies a first predetermined con- 
dition, and. if it does not satisfy, suspending key 
distribution processing; generating a second ran- 
dom number if said condition is satisfied in the 
45 preceding step; generating second key distribution 
Infonnation by applying tiie predetermined first 
transformation to the second random number on 
the basis of the public information, and generating 
second identification information by applying the 
50 predetermined second transformation to the sec- 
ond random number on the basis of second secret 
information known only by the second system; 
transmitting the second key distribution information 
and tiie second identification information to tiie first 
system via the communication channel; and exam- 
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ining whether or not the result obtained by applying 
a third predetenmined transformation to the second 
key distribution information on the basis of the 
second identification infonnation in the first system 
satisfies a predetermined second condition, and if 
the result does not satisfy the second condition, 
suspending the key distribution processing, or if it 
satisfies the second condition, generating an enci* 
phering key by applying a fourth predetermined 
transformation to the first random number on the 
basts of the second key distribution information. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Other features and advantages of the invention 
will become more apparent from the following de- 
tailed description when taken in conjunction with 
the accompanying drawings in which: 

RG. 1 is a block diagram of a first emtDodl- 
ment of the invention; 

FIG. 2 is a block diagram of a second em- 
bodiment of the invention; and 

RG. 3 is a block diagram of an example of 
systems 101, 102, 201 and 202, 

In the drawings, the same reference numerals 
represent the same structural elements. 



PREFERRED EMBODIMENTS 

Refening now to RG. 1, a first embodiment of 
the invention comprises a first system 101. a sec- 
ond system 102 and an insecure communicatfon 
channel 103 such as a telephone line which trans- 
mits communication signals between the systems 
101 and 102. It is assumed herein that the systems 
101 and 102 are used by users or conversers A 
and B, respectively. The user A has or knows a 
secret integer number Sa and public integer num- 
bers e. c, a and n which are not necessarily secret 
while the user b" has or knows a secret integer 
number Ssand the public Integer numbers. These 
integer numbers are designated and distributed in 
advance by a reliable person or organization. The 
method to designate the integer numbers will be 
descrit)ed later. 

An operation of the embodiment will next be 
described on a case in which the user A starts 
communication. The system 101 of the user A 
generates a random number ^ (Step A1 In FIG. 1) 
and sends a first key distribution code X a repre- 
sentative of a number obtained by computing Sa o 
ay (mod n) (Step A2) to the system 102 of the user 
B (step A3). Next, when the system 102 receives 
the code XA(Step Bl). It generates a random num- 
ber t (Step B2), calculates P(a^/IDa) * (mod n) (Step 
B5). and keeps the resulting number as a encipher- 



ing key wk for enciphering a message into storage 
means (not shown). The identification code IDa 
represents herein a number obtained by consider- 
ing as a numeric value a code obtained by encod- 

5 ing the address, the name and so on of the user A. 
The encoding is, for instance, performed on the 
basis of the American National Standard Code for 
Infonmation Interchange. Then, the system 102 
transmits to the system 101 of the user A a second 

10 key distribution code Xb representathfe of a num- 
ber obtained by caknilallng Sb oa* (mod n ) (Steps 
B3 and B4). 

The system 101, on the other hand, receives 
the code Xb (Step A4). calculates (Xb^/IOb)'^ (mod 

T6 n) (Step A5), and keeps the resulting number as 
the key wk for enciphering a message. The iden- 
tification code IDb represents the numbers obtained 
by considering as a numeric value a code obtained 
by encoding the name, address, and so on of the 

20 user B. 

Subsequently, communication between the us- 
ers A and B will be conducted by transmitting 
messages enciphered with the enciphering key wk 
via the channel 103. 

25 The Integer numbers Sa, Sb. e, c, o and n are 
determined as follows, n is assumed to be a prod- 
uct of two suffictentty large prime numbers g and 
g. For Instance, g and 3 may be 22» or so. e and c 
are prime numbers which are equal to or less than 

30 n. while a is a positive Integer number which is 
equal to or less than n. Further, d is defined as an 
integer number which satisfies e.d (mod (p-l)o(q- 
1)) = 1. S A and Sb are defined as numbers 
obtainable from IDa^ (mod n) and IDb^ (mod n), 

3S respectively. 

If Sa, Sb. e, c, a, and n are defined as above. 
IDa and ID a become equal to Sa® (mod n) and 
SB*'{mod n), respectively. This can be proved from 
a paper entitled "A Method for Obtaining Digital 

40 Signatures and Publlck-Key Cryptosystems" by 
R.L RIvest et al., published in the Communication 
of the ACM, Vol. 21, No. 2, pp. 120 to 126. Since 
the key obtained by (Xb^/IDb)' (mod n) on the side 
of the user A becomes equal to o®^"(mod n) and 

45 the key obtained by PCa^/IDa)^ (mod n ) on the side 
of the user B becomes equal to a^~(mod n), they 
can prepare the same enciphering key. Even if a 
thinj party tries to assume the Identity of the user 
A, he cannot prepare the key wk since he cannot 

50 find out z which meets ID a = 2® (mod n). 

Referring now to FIG. 2. a second embodiment 
of the invention comprises a first system 201, a 
second system 202 and an insecure communica- 
tion channel 203. It is assumed herein that the 

55 systems 201 and 202 are used by users A and B, 
respectively. The user A has or knows a secret 
integer number Sa and public integer numbers e, 
c, a. and n. which are not necessarily secret while 
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the user B has or foKws a secret integer number 
Seand the public integer numbers. These integer 
numbers are designated and distributed by a reli- 
able person or orgaruzation in advance. The meth* 
od to designate the integer numbers will be de* 5 
scribed later. 

An operation of the embodiment will next be 
described on a case where the user A starts com- 
muntcation. TTie system 201 of the user A gen- 
erates a random number ^ (Step AA1 in RG. 2) io 
and determines a first key distribution code Xa 
representative of a number obtained by computing 
tt^ (mod n) as well as a first Identification code 
YAindicative of a number obtained by computing 
Sa •a^(mod n) (AA2). The system 201 then trans- is 
mits a first pair of Xa and Ya to the system 202 of 
the user B (Step AM). Thereafter, the system 202 
receives the first pair (Xa . Ya) (Step BB1), cal- 
culates Ya* /Xa*' (mod n. and examines whether or 
not the number obtained by the calculation is iden- 20 
tical to the number indicated by an identification 
code IDa obtained by the address, the name and 
so on of the user A in a similar manner to in the 
first embodiment (Step BB2). If they are not iden- 
tical to each other, the system suspends process- 25 
ing of the key distribution (Step BB7). On the other 
hand. If they are identical to each other, the system 
202 generates a random number t (Step BB3) and 
detemtines a second key distribution code X b 
representative of a number obtained by calculating 30 
a*-' (mod n) and a second Identification code Yg 
obtained by calculating Se •a^' (mod n) (Step 
BB4). The system 202 then transmits a second pair 
of Xb and Yb to the system 201 of the user A (Step 
BBS). The system 202 calculates Xa^ (mod n) and 35 
keeps the number thus obtained as a enciphering 
key wk (Step B66). 

The system 201. on the other hand, receives 
the second pair (Xb, Yb) (Step AA4). calculates Y 
B*^*^ (mod n), and examines whether or not the 4o 
number thus obtained is identical to the number 
indicated by an identification code IDs obtained by 
the address, the name and so on of the user B In a 
similar manner to In the first embodiment (Step 
AA5). If they are not Identical to each other, the 45 
system suspends the key distribution processing 
(Step AA7). if they are identical to each other, the 
system 201 calculates Xb^ mod n), and stores the 
number thus obtained as a enciphering key wk 
(Step AA6). Although the codes IDa and ID b are 50 
widely known, they may be Informed by the user A 
to the user B. 

The integer numbers Sa. Sb. e. c, a and n are 
determined in the same manner as in the first 
embodiment As a result, ID a and IDb becomes 55 
equal to Ya^/Xa'^ (mod n) (= S^ •a«^/a«" (mod n)) 
and YbW (mod n) (~= S| •a««/o«^ (mod n )). 
respectively. If we presuppose that the above-rnen- 



tioned reliable person or organization who prepared 
Sa and Sg do not act illegally, since Sa is pos- 
sessed only by the user A while Sb is possessed 
only by the user B. the first pair (x a. y^) which 
satisfies yA® /xa*' (mod n) = IDa can be prepared 
only by the user A while the second pair (xs , ys) 
which satisfies ys^^B^ (mod n) » iDb can be pre- 
pared only by the user B. tt Is impossible to find 
out a number x which satisfies x' (mod n) » b on 
the basis of f, band n since finding out X is 
equivalent to breaidng tfie RSA public key cryp- 
togram system disclosed in the above-mentioned 
the Communication of the ACM. It is described In 
the above-referenced IEEE Transactions on Infor- 
mation Theory that the key wk cannot be cal- 
culated from the codes Xa or xs and n. The key 
distribution may be implemented ^'milariy by mak- 
ing tiie integer number C variable and sending It 
from a user to anotfier. 

An example of the systems 101, 102. 201 and 
202 to be used In the first and second embodi- 
ments will next be described refen-lng to RG. 3. 

Referring now to RG. 3, a system comprises a 
terminal unit (TMU) 301 such as a personal com- 
puter equipped with communication processing 
functions, a read only memory unit (ROM) 302. a 
random access memory unit (RAM) 303. a random 
number generator (RNG) 304, a signal processor 
(SP) 306, and a common bus 305 which intercon> 
nects the TMU 301. the ROM 302, the RAM 303. 
tiie RNG 304 and tiie SP 306. 

The RNG 304 may be a key source 25 dis- 
closed In as. Patent No. 4.200.700. The SP 308 
may be a processor available from CYUNK Cor- 
poration under the trade name CY 1024 KEY MAN- 
AGEMENT PROCESSOR. 

The RNG 304 generates random numbers r or 
t by a command given from the SP 306. The ROM 
407 stores the public integer numbers £ . c. a, n 
and tiie secret integer number Sa (if tiie"ROM 407 
is used in tiie system 101 or 201) or tiie secret 
integer number Sb Of the ROM 407 is used in tiie 
system 102 or 202). The numbers Sa and Sb may 
be stored In tiie RAM 303 from tiie TMU 301 
everytime users communicates. According to a 
program stored in the ROM 407. the SP 306 ex- 
ecutes the above-mentioned steps A2, A5. AA2, 
AA5. AA6 and AA7 (if the SP 306 Is used in tiie 
system 101 or 201), or tiie steps B3. B5. BB2. 
BB4. 6B6 and BB7 Of the SP 306 is used in tiie 
system 102 or 202). The RAM 303 is used to 
temporarily store calculation results in tfiese steps. 

Each of tiie systems 101. 102. 201 and 202 
may be a data processing unit such as a general 
purpose computer and an IC integrated circuit) 
card. 
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As described in detail hereinabove, tliis inven- 
tion enables users to effectively implement key 
distribution simply with a secret piece of infonma- 
tion and several public pieces of information. 

While this Invention has thus been described in 
conjunction with the preferred embodiments there- 
of, it will now readiiy be possible for those skilled In 
the art to put this invention into practice in various 
other manners. 



Claims 

1. A key distribution method comprising the 
following steps: 

a) generating a first random number in a first 
system; 

b) generating first key distribution Informa- 
tion in said first system by applying a predeter- 
mined first transfonmation to said first random num- 
ber on the basis of first secret Information known 
only by said first system: 

c) transmitting said first key distribution in- 
formation to a second system via a communication 
channel; 

d) receiving said first key distribution in- 
fbnnation in said second system; 

e) generating a second random number in 
said second system; 

f) generating second key distribution infor- 
mation by applying said predetermined first trans- 
formation to said second random number on the 
basis of second secret information known oniy by 
said second system; 

g) transmitting said second key distribution 
information to said first system via said channel; 

h) receiving said second key distribution in- 
formation In said first system; and 

i) generating an enciphering key in said first 
system by applying a predetenmlned second trans- 
fonnation to said second key distribution Infomna- 
tion on the basis of said first random number and 
identification information of said second system 
which is not secret 

2. A key distribution method as claimed in 
Claim 1. in which said first system includes first 
data processing means for executing said steps a), 
b) and i). and first communication processing 
means for executing said steps c) and h). 

3. A key distribution method as claimed in 
Claim 1 or 2, in which said second system includes 
second data processing means for executing said 
steps e) and f), and second communication pro- 
cessing means for executing said steps d) and g). 

4. A key distribution method comprising tiie 
following steps: 

a) generating a first random number in a first 
system; 



b) generating first key distribution informa- 
tion in said first system by applying a predeter- 
mined first transformation to said first random num- 
ber on tiie basis of public information and generat- 

5 ing first identification information by applying a 
predetemnined second transformation to said first 
random number on the basis of first secret Infonma- 
tion known only by said first system; 

c) transmitting said first key distribution in- 
10 formation and said first identification Information to 

a second system via a communication channel; 

d) receiving said first key distribution in- 
fonmation and said first identification Infonrnation In 
said second system; 

75 e) examining whether or not the result ok>- 

taned by applying a predetermined tiilrd trans- 
formation to said first key distribution information 
on tiie basis of said first Identification Infomiation 
satisfies a predetermined first condition and, if It 

so does not satisfy, suspending key distribution pro- 
cessing; 

f) generating a second random numljer if 
said first condition is satisfied at said step e); 

g) generating second key distribution infor- 
25 mation by applying said predetemiined first trans- 
formation to said second random number on the 
basis of said public information, and generating 
second identification infomiation by applying said 
predetermined second transformation to said sec- 

30 ond random number on the basis of second secret 
information known only by said second system; 

h) transmitting said second key distribution 
Infonmation and said second identification informa- 
tion to said first system via said communication 

35 channel; and 

i) examining in said first system whether or 
not tiie result obtained by applying a predeter- 
mined third transfomnation to said second key dis- 
tribution infomiation on tiie basis of said second 

40 identification information satisfies a predetermined 
second condition and, if tiie result does not satisfy 
said second condition, suspending said key dis- 
tribution processing or, if it satisfies said second 
condition, generating said enciphering key by ap- 

45 plying a predetomnined fourth transformation to 
said first random number on the basis of said 
second key distribution information. 

5. A key distribution metiiod as claimed in 
Claim 4, In which said first system includes first 

50 data processing means for executing said steps a), 
b) and i). and first communication processing 
means for executing said step c). 

6. A key distribution mettiod as claimed in 
Claim 4 or 5, in which said second system includes 

55 second data processing means for executing said 
steps e), f) and g), and second communication 
processing means for executing said steps d) and 
h). 
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